Hover for preview !

Leading Flow Engineering

"Leading Flow Engineering" explores the profound impact of integrating ancient wisdom into modern organizational settings, emphasizing personal transformation as the foundation for ethical leadership and collective flow. By cultivating insight and wisdom, individuals can develop ethical behavior and mindfulness, leading to enhanced productivity and harmony. The book provides practical strategies for fostering a culture of flow, effective communication, and continuous learning, while also addressing the challenges of knowledge work through resilience and collaboration. Managers play a crucial role in this transformation by bridging knowledge gaps and encouraging skill development, ultimately creating a compassionate and efficient work environment. Embrace this journey of transformation and discover how Buddhist principles can lead to a more balanced, ethical, and productive workplace.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Veracode Report Shows Signs of Progress

April 23, 2022

Veracode recently released their State of Software Security report in partnership with the Cyentia Institute. The report found a continuing trend towards smaller applications being scanned more regularly for issues, and a general decline in the number of security vulnerabilities, despite the industry still having a long way to go.

Since the White House issued the Executive Order on Improving the Nation’s Cybersecurity there’s been a flurry of reports from vendors peddling solutions and advice. Security is a critically underserved topic in the IT world, receiving periodic bursts of attention from anxious and impatient executives while beleaguered security pros labor to make it easier and more integrated into development. Reports like the State of Software Security report help cut through confusion and provide wise insights and advice.

The report offers observations on the changing state of software development, common flaws, and advice on a path forward. Trends they note in the research include that "JavaScript, Python, and .NET have seen declines in app sizes, indicating a trend toward more microservices.” Microservices reduce the complexity and attack surface of individual applications, at the possible cost of making an integrated system more difficult to understand and manage. Another sign of the move towards microservices is the declining number of multi-language projects, indicating the preference to separate apps along language boundaries.

Veracode has produced this report for 12 years, its most recent report summarizing scans from almost 600,000 applications. The longevity of this report allows them to spot contrasts such as the 20x increase in median scan frequency between 2010 and 2021. The movement from scanning 2-3x / year to scanning at least weekly for 90% of apps reflects the integration of security scanning into the development lifecycle, and the move towards agile and DevSecOps. The report reflects an exponential decrease in the mean time between scans, coinciding with the rise in deployment frequency associated with continuous delivery.

Veracode observed a gradual increase in the number of applications scanned per customer, growing to 17 new apps per quarter, up from five in 2010. This implies that security scanning is becoming a more natural act and a lighter lift for development teams as they gain familiarity with adding it into the development pipeline. Different types of analysis also tend to reveal different flaws meaning that teams are well-served to do multiple types of security analysis such as both static and dynamic application security testing.

One encouraging observation was the reduction in known vulnerabilities in third-party libraries from 35% in 2017 to 10% in 2021. This is likely due to the increasing prevalence of security scanning software from commercial providers like Veracode and Sonatype, as well as efforts from GitHub enabling Advanced Security for all public repositories. Most open source contributors are now familiar with GitHub’s Dependabot notifications of known vulnerabilities in their projects’ dependencies.

The trend of security software vendors producing increasingly robust research is beneficial for the industry. The report was co-written with Cyentia Institute, a security research and data analysis institute founded by some of the authors of Verizon’s Data Breach Investigations Report. Sonatype has also produced its State of the Software Supply Chain report for the last seven years. Dependency analysis, software composition analysis (SCA), software bill of materials (SBOM), and software supply chain (SSC) have entered the daily vernacular of most development teams. This reflects the risky side of the open source world which facilitates promiscuous includes and hides dependencies several layers down. Automated analysis is now a necessity and it’s great to have an increasing variety of reliable choices.

Original Publication Link:
https://www.infoq.com/news/2022/04/veracode-securing-supply/